[Opensc-devel] OpenSC - OpenVPN - ePass2003

[Matthias B. <bar...@ba...>]

Hi,

I have a setup with OpenSC version 0.13.0-0git-2012112910105 supplied as 
debian package from gooze.eu and OpenVPN version 2.2.1-8 on Mint 14 LMDE.
My OpenVPN tunnel runs perfect when I use certificate and key as files. 
The tunnel comes up and works as expected.
I added the certificate and the key to an ePass2003 token.

When I try to use the token with the opensc-pkcs11.so provider I get the 
following Log-Output:

Fri Jul  5 09:07:41 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] 
[EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 
(2.2RC2)] built on Mar 23 2012
Fri Jul  5 09:07:41 2013 PKCS#11: Adding PKCS#11 provider 
'/usr/lib/opensc-pkcs11.so'
Fri Jul  5 09:07:48 2013 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for 
more info.
Fri Jul  5 09:07:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 
2' or higher to call user-defined scripts or executables
Fri Jul  5 09:07:48 2013 LZO compression initialized
Fri Jul  5 09:07:48 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 
EB:0 ET:0 EL:0 ]
Fri Jul  5 09:07:48 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 
EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jul  5 09:07:48 2013 Local Options hash (VER=V4): '41690919'
Fri Jul  5 09:07:48 2013 Expected Remote Options hash (VER=V4): '530fdded'
Fri Jul  5 09:07:48 2013 UDPv4 link local: [undef]
Fri Jul  5 09:07:48 2013 UDPv4 link remote: [AF_INET]123.231.22.53:1194
Fri Jul  5 09:07:54 2013 VERIFY OK: depth=2, 
/C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=SIKON_CA/emailAddress=Ope...@fo...
Fri Jul  5 09:07:54 2013 VERIFY OK: depth=1, 
/C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=STUFE3/emailAddress=Ope...@fo...
Fri Jul  5 09:07:54 2013 VERIFY OK: depth=0, 
/C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=vpn.foobar.biz
Enter John Doe (User PIN) token Password:
Fri Jul  5 09:08:00 2013 PKCS#11: Cannot perform signature 
32:'CKR_DATA_INVALID'
Fri Jul  5 09:08:00 2013 TLS_ERROR: BIO read tls_read_plaintext error: 
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Fri Jul  5 09:08:00 2013 TLS Error: TLS object -> incoming plaintext 
read error
Fri Jul  5 09:08:00 2013 TLS Error: TLS handshake failed
Fri Jul  5 09:08:00 2013 TCP/UDP: Closing socket
Fri Jul  5 09:08:00 2013 SIGUSR1[soft,tls-error] received, process 
restarting

I think the second line seems to be the problem, but I do not understand 
what this means.

To verify that the token is configured correctly I added the 
opensc-pkcs11.so to firefox and configured an apache server to make 
client authentication with the certificate and key added to
the token. After entering the tokens PIN authentication works perfect.

My first question is where is this a OpenSC Problem or a Problem of 
OpenVPN ?
What does CKR_DATA_INVALID mean ?
Are there any diagnostics I can make to solve the problem ?

Thanks.

Ciao
    Matthias